Our aim is to extend this language in order to take into account a large class of timing constraints on systems to describe. Then, we will present a m

Transcription

1 Timed Automata Generation from Estelle Specications H. Fouchal M. Defoin-Platel S. Bloch P. Moreaux E. Petitjean Departement de Mathematiques et Informatique Universite de Reims Champagne-Ardenne Moulin de la Housse, BP 1039, Reims Cedex 2, France Fax : fhacene.fouchal, Simon.Bloch, Patrice.Moreaux, Abstract The aim of this paper is to present a new method to generate timed input/output automata from Estelle specications. The main idea is to extend the ESTELLE language with a new constructor : TVAR, which permits the denition of clocks to be used for time constraints. The second concept is to propose some semantic rules in order to dene how to take into account clock constraints in the ESTELLE specications. We illustrate this method with an example of a system described with ESTELLE and its corresponding timed automaton. Finally, some ideas about the use of timed automata are given. Key-words : Timed Automata, Formal Description Techniques, ESTELLE, Real-Time Systems, Protocol Engineering, Validation. 1 Introduction The development of new technologies such as multimedia systems, and safety-critical real-time systems (plant control systems, air trac control systems) requires us to take into account time in specication. Since their multifunctionings -often caused by timing problems- may have catastrophic consequences, specifying and validating such systems have become an inevitable issue. The model of timed automata (well presented in [AD94]) helps designers to model timed systems. Many studies have been dedicated to this aspect during the last ten years [ACD91, DY96, HNSY92, HNSY94]. In this paper, we will use an extension of timed automata : timed input/output automata [EnFDE97, SVD97, EnFD + 98]. Formal Description Techniques (FDTs) have been developed in order to make easier the design of complex systems and to allow the description of correct and unambigous systems. The ESTELLE language is one of the FDTs standarized by the OSI and it is well known in the software engineering and telecommunication areas. 1

2 Our aim is to extend this language in order to take into account a large class of timing constraints on systems to describe. Then, we will present a method for the generation of timed automata using the ESTELLE language. 2 Estelle language and time The ESTELLE language has been developed to describe distributed systems and in particular, telecommunication systems [ISO86, BD88]. It is based on concepts of structured communicating extended state automata. It describes the architecture and the behavior of systems. A system is considered as a set of subsystems connected by communication links. A subtree is a subtree of tasks. Tasks of dierent subsystems progress independently but there is a synchronous parallelism between tasks of the same subsystem. Communications between tasks is performed by means of message queues. The timing constraints are expressed using the DELAY operator. In fact, when we use this operator, we can only express how to delay the execution of an action. A minimum and a maximum value may be specied. 2.1 Limitations The ESTELLE language does not oer the clock object which count the time elapsing. The operator described in the previous section does not permit to consider some constraints as the comparison between two clocks which count dierent events or the comparison of a clock with a value. 3 Timed Input Output Automata In this section, we will give the formal description of timed input/output automata (TIOA). A timed automaton [AD94] is a classical automaton extended with a set of timed constraints and some operations on clocks. This formalism is rich enough for the description of timed systems. It has been used in many studies for system verication [DY96, HNSY92, HNSY94]. Timed input/output automata have been proposed to model nite-state realtime systems [EnFDE97, SVD97,?]. Each automaton has a nite set of states and a nite set of clocks which are real-valued variables. All clocks proceed at the same rate and measure the amount of time that has elapsed since they were started or reset. Each transition of the system might reset some of the clocks, and has an associated enabling condition which is a constraint on the values of the clocks. A transition can be taken only if the current clock values satisfy its enabling condition. An example of timed input/output automaton is given in Figure Denitions In this section, we give formal denitions about timed input/output automata. These denitions are widely inspired from ones given in [AD94]. 2

3 Denition 3.1 Clock constraints and clock guard A clock constraint over a set C of clocks is either a boolean expression of the form x 2 I where x 2 C and I a real interval, or a boolean expression of the form x y or x < y where x; y 2 C. A clock guard over C is a conjunction of clock constraints over C. Denition 3.2 Timed Input Output Automata A timed input output automaton A is dened as a tuple ( A ; L A ; l 0 A ; C A; E A ), where: A is a nite alphabet, splitted in two parts : the input actions, beginning with a \?", and the output actions, beginning with a \!" L A is a nite set of locations, l 0 A 2 S is the initial location, C A is a nite set of clocks, E A L A L A A 2 C A (CA ) is the set of transitions. An edge (l; l 0 ; a; ; G) represents a transition from location l to location l 0 on input symbol a. The subset C A allows the clocks to be reset with this transition, and G is a clock guard over C A. (C A ) is the set clock guards over C A An example of a Timed Input Output Automaton is given in Figure 3. Denition 3.3 Clock valuation A clock valuation over a set of clocks C is a map v that assigns to each clock x 2 C a value in R + (set of nonnegative reals). We denote the set of clock valuation by V (C). A clock valuation v satises a clock guard G, denoted v j= G, if and only if G evaluates to true under v. For d 2 R +, v + d denotes the clock valuation which assigns a value v(x)+d to each clock x. For X C, [X 7! d]v denotes the clock valuation for C which assigns d to each x 2 X, and agrees with v over the rest of the clocks. Denition 3.4 Clock region Let A = ( A ; L A ; l 0 A ; C A; E A ) be a timed input output automaton. 8x i 2 C A, let c x = maxfc j ((x c) _ (c x)) is a constraint over x i g The equivalence relation is dened over the set V (C A ) ; v v 0 i : 8x i 2 C A ; (bv(x i )c = bv 0 (x i )c) _ ((v(x i ) c xi ) ^ (v 0 (x i ) c xi )) (1) 8x i ; x j 2 C A j ((v(x i ) c xi ) ^ (v(x j ) c xj )); (fv(x i )g fv(x j )g, fv 0 (x i )g fv 0 (x j g)) (2) 8x i 2 C A j v(x i ) c xi ; (fv(x i )g = 0, fv 0 (x i )g = 0) (3) A clock region for A is an equivalence class of clock valuations induced by. Let [v] denote the clock region to which v belongs. Denition 3.5 Clock zones A zone z is a convex polyhedron formed by clock constraints. It consists of a union of clock regions. 3

4 The timed input/output automaton may be transformed into a region graph which is equivalent and where timing constraints are expressed on states instead of transitions. Denition 3.6 Region graph Let A = ( A ; L A ; l 0 A ; C A; E A ) be a timed input output automaton. A (classical) region graph of A is an automaton RA = ( RA ; S RA ; s 0 RA ; E RA) where: RA = A [,where represents the elapse of time S RA fhs; [v]i j s 2 S A ^ v 2 V (C A ) s 0 RA = hl0 A ; [v 0]i where v 0 (x) = 0 for all x 2 C A a R A has a transition, q?! RA q 0, from state q = hs; [v]i to state q 0 = hs 0 ; [v 0 ]i on action a, i either { a 6= and there is a transition (s; s 0 ; a; ; G) 2 E A and d 2 R + such that (v + d) j= G and v 0 = [ 7! 0](v + d), { a =, s = s 0 and there exists d 2 R + such that v 0 = v + d. Denition 3.7 Zone successor Let RA = ( RA ; S RA ; s 0 RA ; E RA) be a region graph. A zone z 0 is said to be a zone a successor of a zone z for symbol a i there exists a transition q?! RA q 0 where q = hl; Y i and q 0 = hl 0 ; Y 0 i with z Y and z 0 Y 0. 4 Generation of timed automata from a single module We propose a method to generate timed automata from ESTELLE specications. The main parts of this contribution are : the syntactic part: we add a new constructor TVAR for the declaration of clocks, the semantic part: we propose some rules which show how to manage clocks in the automata generation step. 4.1 Syntactic part In order to take into account the timed constraints, we rst propose a new constructor to declare clocks: TVAR v 1 :::v n where v i are the clocks to be used in the system. This constructor is similar to the VAR constructor and the use of the variables v i is almost similar to other variables (in expressions, in PROVIDED clauses, in actions,...). 4

5 4.2 Semantic part As we have shown in the previous part, on a transition in a timed automaton there are two parts: the action part containing the input or output actions and the timed part (it could be a comparison between clocks and/or constants, and/or operations on clocks : reset for example). This part explains how to translate any specication containing the new constructor TVAR. In the transition part, all the specic ESTELLE constructors will be considered as described in the standard [ISO86]. When a clock variable is met in the specication, we will apply rules described in the next section Provided clause When the clock variable is met in the PROVIDED clause, this clause will be rewritten as a constraint in the timed part of the transition in the timed automaton, Example, the following transition is translated as shown in the Figure 1. from S2 to S1 provided X > 2 name T: begin output(mess) S1!MESS x > 2 - S2 Figure 1 : Example of a transition Action part When the clock variable is met in the action part, this action will be rewritten as an action in the timed part of the transition in the timed automaton. It could be done either in the input part or in the output part of the transition. For example, the following transition is translated as shown in the Figure 2. trans from S1 to S2 when C.MESS name T1: begin X := 4; 5

6 ?MESS - S2 S1 x := 4 Figure 2 : Example of a transition with action 4.3 Example The timed input/output automaton presented in Figure 3 has been generated from the following ESTELLE specication. In this system, we model a small system waiting for an image (?rec im). When the image arrives the system begins waiting for the sound at maximum 2 seconds. If it receives a sound before the deadline, an acknowledgment will be sent (!ack all) before 5 seconds, otherwise, it will send a negative acknowlegment (!nack all). specification Example ; default individual queue; timescale second; channel Entry(R1,R2) by R1: rec_ima; by R2: rec_sou; channel WayOut(Sack, Snack) by S1: ack_all; by S2: nack_all; module M systemactivity; ip R: Entry(R1); S: WayOut(Sack); body M1 for M; state S1,S2,S3,S4,S5; tvar x, y; var mess : t; initialize to S1 begin x:=0; y:=0; trans from S1 to S2 when C.rec_ima name T1: begin X := 0; Y := 0; from S2 to S3 when C.rec_sou provided x <= 2 6

7 name T2: begin from S2 to S1 provided X > 2 name T3: begin output(nack_im) from S3 to S1 provided Y > 5 name T4: begin output(nack_all) from S3 to S4 provided Y <= 5 name T5: begin output(ack_all) from S4 to S1 name T6: begin 5 Generation from parallel systems Up to now we considered only specications containing one task in one subsystem. In this section we will give some rules about the generation of a timed automaton from a system composed of a set of subsystems running in parallel. In fact, the main problem to solve is how to compose timed automata. 5.1 Some solutions We can use two techniques of generation : generation of a TIOA from each module and composition of the set of TIOAs, generation of only one TIOA from the whole system. 5.2 Solution 1 In this case, we should compose timed automata. The synchronisation is made by using message queues. The synchronisation between two transitions of two automata is possible if and only if one of them is waiting for an input symbol and the other 7

8 S1 y < 5?rec_im x := 0 y := 0 x > 2 S2!nak_im!ack_all x <= 2?rec_sou S3!reset y <= 5!ack_all S4 Figure 3 : The generated timed input output automaton one is ready to produce an output which could match with the waited symbol of the rst atomaton. In our case, this synchronisation will be possible if an additional condition is veried: the intersection between timing constraints of both transitions is not empty. Two cases can be met here : If some clock x is the same, semantically speaking, in the constraints of the two original clock guards, then either the conjunction of all the constraints invloving x is always false, and there is no synchronisation, or it is not a contradiction and it is part of the clock guard of the obtained synchronised transition. For example, if we have two transitions with the clock guards x 2 I and x 2 J where x is a clock and I and J are intervals, the synchronisation will be possible if and only if I \ J is not empty, and in this case the clock guard of the synchronised transition is x 2 I \ J. If no clock appears simultaneously in both clock guards, the two transitions are independantly reable and there will always be a synchronisation, whose clock guard shall be the conjunction of the clock guards of the two original transitions. For example, if we have two transitions with the clock guards x 2 I and y 2 J where x and y are clocks and I and J are intervals, we obtain a synchronised transition with the clock guard x 2 I ^ y 2 J. This process is performed at any composition of two transitions until the generation 8

9 of the global state machine of the whole system. 5.3 Solution 2 Here, we don't generate intermediate timed automata. In fact we use the same rules than ones presented in [ISO86] about the composition of modules in ESTELLE. We will only add the following rule : when a transition is reble (as explained in the standard), it became timed-reble (which is the last level) if all the timing constraints are satised. 5.4 The use of ESTELLE compilers In order to use existing compilers, we propose the following idea for considering clocks in specications. We will declare a clock variable by using the VAR operator but we will add a special comment /*$ TVAR*/. Before compiling any specication, we use a special lter which will extract all clock variables and prepares a data structure which will contain them. Then we will compile as usual. Finally, we will use this structure in the other steps of development as testing or code generation. 6 Some issues with timed automata 6.1 Specication The method presented before will help us to describe some protocols related to multimedia systems and real-time systems without changing many aspects in ES- TELLE. Presently, we are trying to use the tool XEDT [Bud92] in order to implement our ideas. The use of the intermediate form will help us very much. By using only the set of primitives oered to handle the intermediate form, we can develop a simple extension of the XEDT in the purpose to deal with our new operator. 6.2 Testing We recall the methodology proposed in [EnFD + 98], This methodology is based on the transformation of a timed automaton in an untimed one and testing the later automaton. But this methodology works only on timed automata having the following constraints: Constraints on TIOA for Testing This study deals with a class of timed input output automata which satisfy the following constraints : 1. one initial location, i.e. the system can only start from one state with all clocks initialized to zero, 9

10 2. there is no outgoing transition from the initial state labeled with an output action since in testing we apply test sequences to the IUT after bringing it back to its initial state (assuming a reset to initial state), 3. deterministic on the set of alphabet, i.e., from any location, we cannot have two outgoing transitions labeled by the same symbol and whose time constraints are satised simultaneously, 4. each transition in the automaton is executable, i.e. the system is sound where any time constraint may be satised by at least one clock valuation 6.3 Testing methodology steps This methodology is composed of the following steps : 1. transformation of the timed automaton into a region graph [AD94], 2. minimisation of the region graph [ACH + 92], 3. translation of the minimal region graph into an untimed automaton by adapting each label of a transition in the minimal region graph. In the generated automaton, the label of a transition is composed of an action and a zone number [EnFD + 98], 4. generation of timed test sequences using a classical untimed testing methods [FBK + 91, SLD92, NT81, VCI89], 5. the use of a specic test architecture described in [EnDE97]. 6. a complete fault coverage regarding a fault model described in [PF98]. 7 Conclusions We believe that time constraints are becoming more and more important in the system validation process. Since, the theory of timed automata has been developed for many years, it is very useful to propose the use of high-level languages such as ESTELLE to describe timed systems. As we show, we propose a very reduced extension of ESTELLE in order to consider timed systems. In the next future, we will study the extension of this technique for the whole ESTELLE language (multiple modules working in parallel and taking into account the data part). On the one hand, we are presently developing a prototype of an ESTELLE etranslator which allow the implementation of our concepts. On other hand, we intend to use the methodology to test timed systems proposed in [EnFDE97]. References [ACD91] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for probabilistic real-time systems. In J. Leach Albert, B. Monien, and M. Rodrguez, editors, Proceedings 18 th ICALP, Madrid, volume 510 of Lecture Notes in Computer Science, pages 113{126. Springer-Verlag,

11 [ACH + 92] [AD94] [BD88] [Bud92] R. Alur, C. Courcoubetis, N. Halbwachs, D. Dill, and H. Wong-Toi. Minimization of timed transition systems. In R. Cleaveland, editor, Proceedings CONCUR 92, Stony Brook, NY, USA, volume 630 of Lecture Notes in Computer Science, pages 340{354. Springer-Verlag, R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183{235, S. Budkowski and P. Dembinski. An introduction to estelle: A specication language for distributed systems. Computer Networks and ISDN Systems, Special Issue on FDT Concepts and Tools, (1), S. Budkowski. Estelle development toolset. Computer Networks and ISDN Systems, Special Issue on FDT Concepts and Tools, (1), [DY96] C. Daws and S. Yovine. Reducing the number of clock variables of timed automata. In Proceedings of the 1996 IEEE Real-Time Systems Symposium, RTSS'96, Washington DC, USA. IEEE Computer Society Press, [EnDE97] A. En-nouaary, R. Dssouli, and A. Elqortobi. Generation de tests temporises. In Proceedings of the 6 th bi-annual Colloque Francophone de l'ingenierie des Protocoles, Lieges, Belgique, [EnFD + 98] A. En-nouaary, H. Fouchal, R. Dssouli, A. Elqortobi, and E. Petitjean. imed Testing Using Clock Zone Vertices. In Proceedings of the 11th International Workshop on Test Communicating Systems IWTCS'98 (Tomsk, Russia) (Submitted)b, [EnFDE97] A. En-nouaary, H. Fouchal, R. Dssouli, and A. Elqortobi. Test derivation for timed systems. Report, LERI-RS (Universite de Reims), [FBK + 91] S. Fujiwara, G. von Bochmann, F. Khendek, M. Amalou, and A. Ghedamsi. Test selection based on nite-state models. IEEE Transactions on Software Engineering, 17(6):591{603, June [HNSY92] [HNSY94] T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking for real-time systems. In Proceedings 7 th Annual Symposium on Logic in Computer Science, Santa Cruz, California, pages 394{406. IEEE Computer Society Press, T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking for real-time systems. Information and Computation, 111:193{ 244, [ISO86] ISO. Estelle: a formal description technique based on an extended state transition model ISO/TC97/SC21/WG16{1 DP9074, ISO/TC97/SC21/WG16{1 DP9074. [NT81] [PF98] S. Naito and M. Tsunoyama. Fault Detection for Sequential Machines by Transition Tours. Proccedings of the 11th. IEEE Fault Tolerant Computing Symposium, pages 238{243, E. Petitjean and H. Fouchal. A Fault Model for Timed Testing. Report: Leri-rs , LERI-RS (Universite de Reims),

12 [SLD92] [SVD97] [VCI89] Y.N. Shen, F. Lombardi, and A.T. Dabuhra. IEEE Transactions on Communications, 40, J. Springintveld, F.W. Vaandrager, and P. R. D'Argenio. Timed Testing Automata. Report CS-R9712, CWI, Amsterdam, August S. Vuong, W. Chan, and M. Ito. The UIOv-Method for Protocol Test Sequence Generation. In 2nd IWPTS International Workshop on Protocol Test Systems, Berlin,